I am quite new to pix and am playing around to get the hang of it. Now I have installed AD on the same machine as the acs and am trying to get the acs to lookinto AD. I have the cisco doc which I am following to set this up.
I first go into "external user database" -> and set the "windows configuration. Then I go into the "unknown user policy" -> click on "Check the following external user databases" and then select the database under "external database" and then move it into the "selected database" and then click "submit" for which I get a "Number Error 1. The selected DB search list is empty. Correct these errors and submit the form again."
Please advise. What does this mean and what should I do ?
Also, I find this mentioned in the document,
"Performing one of the configuration procedures for an external database that are provided in this chapter
(• By Specific User Assignment
• By Unknown User Policy)
does not on its own instruct Cisco Secure ACS to authenticate any users with that database."
-Can someone kindly explain what they mean and what should I do additionally.
Another thing I am trying to do this. I have different groups setup in AD which has users in those groups. The setup is that the firewall will separate the network into different segments. Each segment will have different resources and hence different security needs. I want to setup ACS such that any user requesting access to a resource in a particular segment will be allowed access to the segment based on group membership. I want to assign different AD groups to each segment. If the user is a member of a group which has been setup to have access to a segment then he should be allowed access. Else s/he shouldnt. Again, I am not sure how to set it up to do that. Any advise on how to do that please.
Another thing mentioned which I thought might be related to what I am trying to do,
"Regardless of whether a user is authenticated by the internal user database or by an external user database, Cisco Secure ACS authorizes network services for users based upon group membership and specific user settings found in the CiscoSecure user database. Thus, all users authenticated by Cisco Secure ACS, even those whose authentication is performed with an external user database, have an account in the CiscoSecure user database."
- What does this mean and what does network services imply here. Does this mean to answer my previous question I would set up network segments as network services and then map those services to groups and the rest will be taken care of. Please advise.
I would appreciate all help, advice, links, tuts, how-tos in this regard.
Thanks bunch
I first go into "external user database" -> and set the "windows configuration. Then I go into the "unknown user policy" -> click on "Check the following external user databases" and then select the database under "external database" and then move it into the "selected database" and then click "submit" for which I get a "Number Error 1. The selected DB search list is empty. Correct these errors and submit the form again."
Please advise. What does this mean and what should I do ?
Also, I find this mentioned in the document,
"Performing one of the configuration procedures for an external database that are provided in this chapter
(• By Specific User Assignment
• By Unknown User Policy)
does not on its own instruct Cisco Secure ACS to authenticate any users with that database."
-Can someone kindly explain what they mean and what should I do additionally.
Another thing I am trying to do this. I have different groups setup in AD which has users in those groups. The setup is that the firewall will separate the network into different segments. Each segment will have different resources and hence different security needs. I want to setup ACS such that any user requesting access to a resource in a particular segment will be allowed access to the segment based on group membership. I want to assign different AD groups to each segment. If the user is a member of a group which has been setup to have access to a segment then he should be allowed access. Else s/he shouldnt. Again, I am not sure how to set it up to do that. Any advise on how to do that please.
Another thing mentioned which I thought might be related to what I am trying to do,
"Regardless of whether a user is authenticated by the internal user database or by an external user database, Cisco Secure ACS authorizes network services for users based upon group membership and specific user settings found in the CiscoSecure user database. Thus, all users authenticated by Cisco Secure ACS, even those whose authentication is performed with an external user database, have an account in the CiscoSecure user database."
- What does this mean and what does network services imply here. Does this mean to answer my previous question I would set up network segments as network services and then map those services to groups and the rest will be taken care of. Please advise.
I would appreciate all help, advice, links, tuts, how-tos in this regard.
Thanks bunch
Hopefully you don't end up spending the same time looking at it as I did.